Security and Human Behavior

I'm writing from the First Interdisciplinary Workshop on Security and Human Behavior (SHB 08).

Security is both a feeling and a reality, and they're different. There are several different research communities: technologists who study security systems, and psychologists who study people, not to mention economists, anthropologists and others. Increasingly these worlds are colliding.

  • Security design is by nature psychological, yet many systems ignore this, and cognitive biases lead people to misjudge risk. For example, a key in the corner of a web browser makes people feel more secure than they actually are, while people feel far less secure flying than they actually are. These biases are exploited by various attackers.

  • Security problems relate to risk and uncertainty, and the way we react to them. Cognitive and perception biases affect the way we deal with risk, and therefore the way we understand security—whether that is the security of a nation, of an information system, or of one's personal information.

  • Many real attacks on information systems exploit psychology more than technology. Phishing attacks trick people into logging on to websites that appear genuine but actually steal passwords. Technical measures can stop some phishing tactics, but stopping users from making bad decisions is much harder. Deception-based attacks are now the greatest threat to online
    security.

  • In order to be effective, security must be usable—not just by geeks, but by ordinary people. Research into usable security invariably has a psychological component.

  • Terrorism is perceived to be a major threat to society. Yet the actual damage done by terrorist attacks is dwarfed by the secondary effects as target societies overreact. There are many topics here, from the manipulation of risk perception to the anthropology of religion.

  • There are basic research questions; for example, about the extent to which the use and detection of deception in social contexts may have helped drive human evolution.

The dialogue between researchers in security and in psychology is rapidly widening, bringing in more and more disciplines—from security usability engineering, protocol design, privacy, and policy on the one hand, and from social psychology, evolutionary biology, and behavioral economics on the other.

About a year ago Ross Anderson and I conceived this conference as a way to bring together computer security researchers, psychologists, behavioral economists, sociologists, philosophers, and others -- all of whom are studying the human side of security. I've read a lot -- and written some -- on psychology and security over the past few years, and have been continually amazed by some of the research that people outside my field have been doing on topics very relevant to my field. Ross and I both thought that bringing these diverse communities together would be fascinating to everyone. So we convinced behavioral economists Alessandro Acquisti and George Loewenstein to help us organize the workshop, invited the people we all have been reading, and also asked them who else to invite. The response was overwhelming. Almost everyone we wanted was able to attend, and the result was a 42-person conference with 35 speakers.

We're most of the way through the morning, and it's been even more fascinating than I expected. (Here's the agenda.) We've talked about detecting deception in people, organizational biases in making security decisions, building security "intuition" into Internet browsers, different techniques to prevent crime, complexity and failure, and the modeling of security feeling.

I had high hopes of liveblogging this event, but it's far too fascinating to spend time writing posts. If you want to read some of the more interesting papers written by the participants, this is a good page to start with.

I'll write more about the conference later.

EDITED TO ADD (6/30): Ross Anderson has a blog post, where he liveblogs the individual sessions in the comments. And I should add that this was an invitational event -- which is why you haven't heard about it before -- and that the room here at MIT is completely full.

EDITED TO ADD (7/1): Matt Blaze has posted audio. And Ross Anderson -- link above -- is posting paragraph-long summaries for each speaker.

EDITED TO ADD (7/6): Photos of the speakers.

EDITED TO ADD (7/7): MSNBC article on the workshop. And L. Jean Camp's notes.

Posted on June 30, 2008 at 11:17 AM • 17 Comments

Comments

2BeeLeftOutJune 30, 2008 11:28 AM

Pity me, I feel insecure now being left out, and not invited. :) Perhaps I just need more security?!
Keep up the good blog.

SeerJune 30, 2008 12:04 PM

Will there be and video of any of the sessions? Audio? Transcript? Anything?

AnonymousJune 30, 2008 12:29 PM

Remember, citizens....
we are determining your level of guilt now.

do not resist.

no one is innocent.

justice will be swift.

Davi OttenheimerJune 30, 2008 1:01 PM

I'll forward you our paper that was based on five years of 419 scam (AFF) research:

"False Voices: the Impact of Culture on Information Security"

Linguistic anthropology can help expose human susceptibility to fraud.

beanmanJune 30, 2008 5:15 PM

I'm with Seer; any chance there will some video clips from the conference?

Matt BlazeJuly 1, 2008 12:21 AM

There's no video. However, I happened to bring a (soulless digital) audio recorder with me up to Cambridge and have been recording (most of) the sessions. I should have .mp3 files up on my web site tomorrow or Wednesday. Watch this space or my blog (www.crypto.com/blog).

VeroniqueJuly 1, 2008 2:03 AM

Thanks for this post which makes me think (as to say it in english, I'm french); I will read the papers.
What you underligned with this crossed approach seems to be something "emerging" in society: a "new" interest from technology (and even hard sciences) to "sciences humaines" ( such as sociology, ethnology, etc and even litterature).

privacy wonketteJuly 1, 2008 3:00 PM

Wow. My reading list just got a whole lot longer (despite the fact that I've actually read some of these already).

Great conference. I wish I could have been there.

MattGinztonJuly 2, 2008 12:49 PM

> Terrorism is perceived to be a major threat to society
> Yet the actual damage done by terrorist attacks
> is dwarfed by the secondary effects as target societies
> overreact.

Yup. Sounds like the societal equivalent of an allergic response -- the immune system, which is supposed to protect you, overreacts.

AjaySeptember 22, 2008 7:07 AM

"People and Processes are more important than technology for information security" Was any study done on this? Can this be measured? Please direct me to useful URLs. Thanks!

AngeloMay 18, 2009 8:14 PM

Zanjoc quote "Human behavior cannot be explained yet, because we will be talking about the whole mankind and every place has its own culture, the behavior is universal, but it can be torn apart to come up with a description” .

What do you think about that?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..